ent - · pdf fileproducts and business/customer segments that we are involved in. ... the...
TRANSCRIPT
ENT
Group Activities
In the course of our daily operations, the Group takes on a wide variety of risks. Some of these risks are the results of internal factors such as the products and business/customer segments that we are involved in. Other types of risks are derived from external factors, driven by changes in the global/domestic economy. the main types of risks faced by the Group are summarised below:
Reputational RiskThe public’s perception of a bank’s reputation is crucial. Reputational Risk is the risk arising from negative perception to customers, counter-parties, shareholders, investors, debt-holders, market analyst, other relevant key stakeholders or regulators that can adversely affect a bank’s ability to maintain existing, or establish new, business relationships and continued access to sources of funding.
Strategic RiskIf a bank adopts the wrong business strategy, fails to properly execute its business strategy, or respond to industry, economy or technological changes, the bank’s earnings and capital may be impacted.
Credit RiskA bank may suffer losses due to failure by its customers/counterparties to fulfil their contractual financial obligations to repay their loans or to settle their financial commitments. The Group’s credit risk exposures arise primarily from lending, investment and trading activities.
Strategic Risk
Repu
tatio
nal R
isk
Credit risk
Market risk
Liquidity risk
Operational risk
Legal & Regulatory Risk
Shariah Non-Compliance Risk
market RiskA bank may suffer losses arising from changes in interest/profit rates, foreign exchange rates, equity prices, commodity prices and/or due to volatile market conditions.
liquidity RiskLiquidity risk takes two forms:• A bank must be able to fund its financial commitments when due; or• A bank may incur losses when attempting to liquidate assets due to
market disruptions and/or illiquid market situations.
Operational RiskOperational risk covers a wide array of risks, such as direct or indirect losses resulting from failures of internal processes, people and systems or from external events.
legal and Regulatory RiskA bank may suffer financial losses and incur penalties arising from breaches of applicable laws/regulations. A bank may also incur losses due to lawsuits.
Shariah Non-Compliance RiskA bank may suffer financial losses and incur penalties arising from failure to comply with Shariah rules and principles.
How are these risks managed?
the Group strives to continuously balance between risks and returns, amidst changing economic conditions and implementation of new/revised regulations. We achieve this by practicing good corporate and risk governance as part of the Group’s Integrated Risk Management Framework. the key themes include:
• Board oversight of the Group’s activities;• Proper supervision by the Management;• Upholding our Corporate Values; • Adequate segregation of duties, along the three Lines of Defence;• Adhering to a balanced Risk Appetite;• Close monitoring of our risk profiles; • Fine-tuning our policies, processes and controls; and• Conducting stress tests and contingency planning.
these areas are briefly described below.
What is the Group’s risk appetite?
the Group seeks to achieve sustainable business growth by:
• Balancing between business growth and risk-taking;• Balancing between the expectations of our various stakeholders;
and• Managing our Business Risks and Strategic Risks.
Capital Markets
Stockbroking
Financial MarketsLoans/
Financing
Wealth Management
Islamic Banking
deposits
Our risk Appetite Statement was approved by the Board, and it includes several key metrics:
• Maintaining sufficient capital buffer under business-as-usual operations and projected stress scenarios;
• Maintaining sufficient liquidity buffer to fund daily operations and contingencies;
• Generating equitable level of returns while controlling/managing business activities; and
• Maintaining good quality assets in our loan books through active management of loans, investments and trading activities.
these are monitored regularly to ensure that the Group stays within the appropriate risk boundaries.
How does the Board provide good oversight on risks?
the Board meets regularly with the Senior Management team to review the Group’s business activities/performance, financial and risk profile. The Board also approves the Group’s Annual Budget and Business Plan. The Board is assisted by several Board-Level Committees and Senior Management Committees. The risk-related committees include:
Board Committees:Group risk Management Committee, executive Committee, Group Audit Committee, and Shariah Committee.
management Committees:Group Assets & Liabilities Management Committee, Group Management Credit Committee, Credit Portfolio review Committees, Group Operational risk Management Committee, and Product review Group.
Board of directors
• Provides oversight on business strategies and significant policies.• Sets the Bank’s Risk Appetite.
Group Assets & liabilities management
Governs:• Balance sheet and capital management• Liquidity risk management• Interest/profit rate risk management
Portfolio Review Committees• ConsumerBanking• SMEBanking• WholesaleBanking
Monitors the credit quality of the loans/financing portfolios for the respective lines of business.
Group Operational Risk management Committee
Reviews the Group’s operational risk issues/profile.
Product Review Group
Governs the introduction of new products, covering in-house developed products and 3rd Party (bancassurance and wealth management) products.
Group management Credit Committee
• Approve credit proposals and limits.
Group Risk management Committee
• Reviews risk management strategies, policies and risk tolerance/limits.
• Reviews Compliance reports/issues.• Ensures infrastructure and resources
are in place to manage risk.
Executive Committee
• Provides oversight on business issues.
• Reviews large credit exposures.
Group Audit Committee
• Oversees the adequacy and effectiveness of the Group’s internal controls.
Shariah Committee
• Oversees Shariah governance/ compliance matters.
The Board also provides oversight on the Group’s Integrated Risk Management Framework (IrMF), a structured approach to align risk strategies, risk culture, policies, processes, people and technology towards managing the various risks faced, on group-wide basis. The key components of the IrMF are presented in the diagram.
What is the Group’s Risk Culture?
risk culture is a critical dimension of the IrMF as it guides our employees on the right behaviour during the course of their daily activities. All employees have an important role to play in helping the Group to manage our risk profile.
the Group undertakes ongoing risk awareness programmes to instil in our employees the discipline of exercising prudence and to live up to our core values in their day-to-day functions. Induction Programmes are conducted for new employees to integrate them within our corporate/risk culture. Similar themes/reminders are also inserted in our leadership development programmes.
Key themes of our risk culture include:• Our corporate ethics and values: Respect, Integrity, Teamwork and
excellence• Leadership• Accountability• Meritocracy• Communication
Board of directors
Board-level Committees
management-level Committees
• Formulates and enhances risk management, compliance and Shariah frameworks.
• Recommends risk management/compliance/Shariah policies, methodologies, limits and parameters.
• Reviews adequacy of control measures.
• Independent risk monitoring and reporting.
• Owns the risk associated with business.
• Ensures activities are conducted within the approved policies and limits.
Business units& Business Risk Functions
1Independent risk Control units:
• Group Risk Management
• Group Compliance
• Shariah Review Team
2Group Internal Audit
3
• Independently assesses the adequacy and effectiveness of risk policies and internal controls.
3 lines of defence
Governance & Organisation
Strategy
Architecture & design
People & Culture
risk Frameworks &
Policies
risk Methodologies
& Tools
Risk Limits & Parameters
risk Communication &
disclosures
risk Governance
3 Lines of defence
risk Appetite
risk Culture
RISKENT (cont’d)
How does the Three lines of defence concept work?
The Bank’s risk management framework operates on the 3 Lines of defence model. each line of defence has distinct functional roles, designed to balance business ownership and accountability for risks with independent risk management control and monitoring. Internal audit functions as the last line of defence in this check and balance system.
Risk Reporting & escalation
risk Management
Lifecycle
risk Identification
risk Monitoring
risk Mitigation & Control
risk Assessment
What are the components, techniques and tools used to manage risks?
We use a combination of the following risk components, techniques and tools:
Risk Frameworks, Policies and limits• We establish risk frameworks to cover each key risk area.• We set supplementary policies to govern individual products,
business segments and entities.• We factor-in regulatory requirements as well as best practices. • We set risk parameters and limits, guided by the Group’s risk
appetite, and add on operational controls.• We use a wide array of limits and controls, to suit different products/
businesses.• We use a combination of quantitative measures and qualitative/
judgmental assessments to govern our risk-taking activities. • We engage the relevant Business and Control functions, to seek
input on the proposed policies, limits and controls.• We review/revise these risk frameworks and policies periodically, to
adjust to changing market conditions and new regulations.
Risk methodologies & Tools• We strive to use statistical tools to quantify and aggregate risks
across products, business segments and business entities.• These quantitative techniques/tools include credit scorecards, risk-
rating templates, expected loss models, stress testing and scenario analyses.
• Measurement of risks enables us to gauge the risk levels against risk limits. these are reported to the Senior Management/Board Committees.
• To ensure that these tools continue to function as intended, we employ other techniques to back test and independently validate their reliability.
• Where warranted, our risk models are recalibrated and fine-tuned.• We avoid over-reliance on statistical models by combining the use
of these tools alongside sound judgmental controls.
Risk Communication and disclosures• We promote active communication of risks by:
• Documenting our policies, limits and procedures; and disseminating this information to relevant staff;
• Training our employees;• Tracking and reporting on our progress, performance and
activities;• Highlighting exceptions and key developments to Management
and the Board; and• Communicating to customers, regulators and other
stakeholders.
Identify the various risks inherent to each product or activity.1
Adopt quantitative and qualitative approaches to measure and assess these risks, in terms of quantum, severity of impact and likelihood of occurrence.
2
examine various measures to mitigate/control these risks. Proceed to select and implement an appropriate set of risk mitigants and control measures.
3
the risks and controls are monitored. Areas of significant risks are monitored more closely/frequently. Identify adverse trends. take corrective measures. revise business/risk strategies where necessary.
4
Periodic risk reports/dashboards are provided to the Senior Management and the Board. Key issues and exceptions are escalated to their attention.
5
Analyse feedback gathered above. Fine-tune and apply revised approach. 6
Phase
What are the processes involved in risk management?
We practice a life-cycle approach towards managing risks.
ENT (cont’d)
How are different types of risk managed?
We use different approaches to manage the different types of risks, as shown below:
Frameworks & Policies
methodologies, Toolslimits & Parameters
• Shariah Governance Framework
• Shariah reviews and rating.
• Shariah non-compliance monitoring and reporting.
Shariah Non-
Compliance risk
• Reputational Risk Management Framework
• Code of Conduct
• Stakeholder and media analysis.
• Monitoring of corporate risk rating.
• Regular industry and market benchmarking.
• Investors relations.
• Transparent disclosures and communications.
reputationalrisk
• Strategic Risk Management Framework
• Integrated business strategy, risk appetite and capital planning process.
• Tracking of strategic initiatives and deliverables.
• Regular reviews by Management and Board.
Strategicrisk
Operational risk
Legal & regulatory
risk
• Operational Risk Management Framework
• Fraud Management Framework
• Business Continuity Plan
• Compliance Framework
• Legal Manual
• Anti-Money Laundering & Counter Financing of terrorism Policy
• Risk and Control Self-Assessment.
• Control Self-Assessment.
• Key Risk Indicators.
• Loss Event Data Collection.
• Heat maps.
• Operational risk & compliance reviews.
• New product assessment.
• Compliance and risk awareness programmes.
Credit risk
• Credit Risk Management Framework
• Credit Product Programmes
• Credit assessments, quantitative and qualitative.
• Risk acceptance criteria.
• Credit rating templates and scorecards.
• Credit concentration limits on single customer, sector, industry, etc.
• Early warning triggers.
Liquidity risk
• Liquidity Risk Management Framework
• Contingency Funding Plan
• Liquidity gap analysis.
• Liquidity stress testing.
• Diversification of funding by source, type of depositor, instrument, etc.
• Deposit concentration.
• Liquidity ratios, triggers and thresholds.
Market risk
• Market Risk Management Framework
• Trading Policy Statement
• Valuation Policy
• Hedging Policy
• Value-at-Risk & Back testing
• Treasury Product Programmes
• Market risk limits such as position limits, sensitivity limits, value-at-risk limits and loss tolerance limits.
• Revaluation, marking-to-market and marking-to-model.
• Stress testing and back testing.
• Hedging.
Frameworks & Policies
methodologies, Toolslimits & Parameters
does the Group conduct Stress Testing and Contingency Planning?
the Group performs stress testing to estimate the potential impact of extreme events on the Group’s earnings, balance sheet and capital. These stress tests also aim to gauge our sensitivity/vulnerability to a business sector, product segment or customer segment.
We examine an alternative future scenario that could cause problems to the Group. For example, we conduct stress tests to gauge the potential impact of an economic downturn. These ‘what-if’ simulations enable the Group to assess the potential worst case scenarios. We then proceed to make contingency plans to face critical situations.
these stress test parameters are formulated in consultation with various stakeholders, taking into account the current economic climate and plausible scenarios. the results are analysed and reported to the Stress test Working Group, the Group risk Management Committee and the respective Bank Boards. Proactive actions are taken to address areas of potential vulnerability, where warranted.
In addition to credit-related stress tests, the Group also conducts scenario analyses to:
• Ensure that we have sufficient cash and liquid assets to face a liquidity crunch;
• Ensure that we have sufficient capital to fund business growth for the current financial year as well as the next few years; and
• Assess the impact of worsening market conditions, affecting the stock exchange, bonds and forex markets.
the Group has also established various early warning risk triggers to monitor leading indicators of risk.
Our contingency plans are not merely limited to desktop exercises. We carry out periodic exercises including physical simulations of systems failures and business resumption plans, fire-drill evacuation procedures, and activation of ‘buddy branches’ and alternate work-sites.
What are the key regulatory developments and its risk impact to the Banking Sector?
during the year, Bank negara Malaysia (BnM) had maintained interest rates at an accommodative and supportive level for the economy. Other key developments include the following:
Capital and liquidity RequirementsBNM had issued guidelines to adopt the Basel Committee’s recommendations on minimum capital requirements. Malaysia is adopting a phased implementation approach that will require banks to maintain progressively higher capital levels each year, up to 2019.
BNM has also adopted the Basel Committee’s recommendations on liquidity risk management. the Liquidity Coverage ratio (LCr) is scheduled to be implemented in June 2015. the impact of this liquidity requirement is two-fold: banks will need to mobilise more deposits from retail customers, as well as hold more high quality liquid assets to meet funding contingencies.
the measures taken by the Group to address the capital and liquidity requirements include:
• Diversification of our deposit base in terms of deposit type and source;
• Continuous monitoring of our internal liquidity triggers and ratios;• Ongoing capital assessment and planning via our Internal Capital
Adequacy Assessment Process (ICAAP); and• Stress testing/simulations on capital and liquidity.
Other Banking Regulations the regulatory landscape, both internationally and locally is constantly evolving and revised banking regulations/guidelines are issued on a wide spectrum of areas such as risk pricing and transparency, liquidity requirements, capital adequacy, Shariah compliance, tax and accounting. the Group recognises that these revised standards are intended to ensure good market conduct and to maintain a sound banking system.
the Group is required to make amendments to its products, services and operations, to keep pace with regulatory changes. these changes are communicated to our affected customers/counterparties.
Cyber SecurityIn recent years, the banking industry faces emerging risk related to information and cyber security. to address these risks, we are putting in place several control measures:
• Security enhancements at point-of-sale terminals (POS) and self-service banking facilities (Automated teller Machines);
• Multi-factor authentication for Internet banking transactions;• Chip and PIN verification for credit card transactions; • Customer risk profiling on online banking to identify anomalies; and• Regular vulnerability assessment and penetration testing on our
information security.